Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Fixes IE Bug

Posted by Zonk on from the quik-fix dept.

aussie_a writes "Without accepting blame Google has quickly patched the vulnerability, without requiring users to download a patch. Previously covered by Slashdot, the flaw allowed people to access files and passwords on a computer via any website when viewed with IE while running Google Desktop." From the article: "'Google was able to address the problem quickly because it didn't require changing any code at the user's desktop,' MacDonald said. 'Google applied more stringent security controls on its main site, which shut down the exploit.' The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald. "

9 of 225 comments (clear)

  1. If they can fix stuff at their end... that's cool! by byolinux · · Score: 5, Insightful

    As more and more desktop apps serve as an interface to a website, it'll become a lot easier to fix and deploy new functionality. This is a good thing.

    --
    Join the Free Software Foundation
  2. Credibility? by connah0047 · · Score: 5, Funny

    The incident does raise important questions about Google as a desktop software vendor and its plans for rolling out future security fixes, said MacDonald.

    I question Mr. MacDonald's credibility. If this is the same gentleman I'm thinking of, he's an older man who has a farm...or at least had one.

  3. Ok everyone.... by brunes69 · · Score: 5, Informative
    This article summary, and also most comments posted so far, are total misinformed garbage.

    First of all, Google did not fix an IE bug. All they did is make their own software a bit more tight in security, so that *they* are not suceptible to the IE bug. It does not *fix* it.

    Second of all, the bug was *not* in Google Desktop, it *is* an IE bug, it just happens that people who use Google Desktop are vulnerable to it since it embeds IE.

    But *ANY* app that embeds IE is (and remains) vulnerable, including many other pieces of software. For example, for all you poker players, if you have an account a UltimateBet, you *are* vulnerable to ths bug, and in theory someone could use it to steal your account information, which is very dangerous, since they may be able th initate withdraws from your account as well.

    This is just the tip of the iceburgm there are literally hundreds of apps that embed the IE engine for rendering. All are at risk.

  4. Indeed by Gruneun · · Score: 5, Funny

    If I remember correctly, he was far more concerned with EI than IE.

    1. Re:Indeed by aug24 · · Score: 5, Funny

      Oh?

      --
      You're only jealous cos the little penguins are talking to me.
  5. Re:Thanks for Fixing the Problem by bigman2003 · · Score: 5, Interesting

    I create web apps for a very widely distributed organization. We have dozens of different offices, all using their own type of Internet connection.

    2 of our ISPs (which are actually government agencies) have blocked IE usage completely. They simply can't get on the network using IE.

    This was in response to last week's security issues.

    One of the apps we run uses IE specific (Active X) controls. They are not required but they just make it much easier for the users. Now those have been blocked in two locations- causing me a lot of headaches. Of course, the standard answer would be, "why did you use IE specific code?" It was an option for users...but they began to rely upon it.

    So I for one, wish that Microsoft would either:

    A- fix the security problems
    B- release an 'IE Secure' browser, that is stripped down but secure
    or
    C- Umm...short of fixing the problems I don't have many other needs.

    I really wouldn't mind if they had a totally secure version of their browser. Just stripped down functionality (cookies, javascript, etc) and pull out the other junk. Yes...we used some of the other junk, but at the time it seemed like a good idea.

    By the way, I am now on the market for a good cross-browser in-line WYSIWYG HTML editor. A flash version would be great too.

    --
    No reason to lie.
  6. An analogy for the comprehension-deficient... by Gruneun · · Score: 5, Insightful

    Dick drives Jane's car.
    Jane's car has a faulty parking brake.
    Dick parks, engages the brake, but the car rolls away.
    Dick stops parking on hills.

    Important Points
    Jane did not fix the parking brake
    Dick did not fix the parking brake, but he no longer uses it.
    Other drivers may or may not be aware of the broken parking brake.
    The potential is still there for the car to roll away.

  7. Re:Thanks for Fixing the Problem by Anonymous Coward · · Score: 5, Informative

    http://tinymce.moxiecode.com/
    http://dynarch.com/projects/htmlarea/
    http://fckeditor.net/
    http://bnl.gov/itd/htmleditor/

  8. Clearing up some of the confusion by matangillon · · Score: 5, Informative

    I'd like to clear up some of the confusion the mainstream media has caused.

    The bug I found is in Microsoft Internet Explorer and not in Google Desktop. This bug remains in the browser and it is in no way fixed. This bug by itself is a pretty serious one and allows for exploitation of many sites that are not Google related.

    My proof of concept code exploited Google Desktop to retrieve private information from a local machine. In order to do that I used the IE bug twice. First I used it on one of Google's sites in order to get a valid key so I can access the local web server that is Google Desktop's interface. The second time was to execute a query on the GDS server and retrieve the results.

    Google basically found a quick hack that nullifies the first portion of the exploit, getting the valid key. They added the following piece of HTML code to their sites, right before the "Desktop" link is revealed: "<!--"/*"/*-->". This makes the IE CSS parser think the rest of the page is a comment so the link won't be visible while trying to read the CSS text.

    The bug in IE remains at large. And GDS itself is still exploitable. If somebody found an XSS hole in one of Google's sites, he would be able to retrive the GDS key and then use the second portion of the exploit to retrieve local results.

    As I said in my original article, this is a serious bug and there's no simple solution for it, at least until IE is fixed.

    Matan